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Abstract. Reactive computer systems bear inherent complexity due to 
continuous interactions with their environment. While this environment 
often proves to be uncontrollable, we still want to ensure that critical 
computer systems will not fail, no matter what they face. Examples are 
legion: railway traffic, power plants, plane navigation systems, etc. For- 
mal verification of a system may ensure that it satisfies a given specifi- 
cation, but only applies to an already existing model of a system. In this 
work, we address the problem of synthesis: starting from a specification 
of the desired behavior, we show how to build a suitable system con- 
troller that will enforce this specification. In particular, we discuss recent 
developments of that approach for systems that must ensure Boolean be- 
haviors (e.g., reachability, liveness) along with quantitative requirements 
over their execution (e.g., never drop out of fuel, ensure a suitable mean 
response time). We notably illustrate a powerful, practically useable al- 
gorithm for the automated synthesis of provably safe reactive systems. 



1 Context 

Nowadays, more and more aspects of our society depend on critical reactive 
systems, i.e., systems that continuously interact with their uncontrollable envi- 
ronment. Think about control programs of power plants, ABS for cars or airplane 
and railway traffic managing. Therefore, we are in dire need of systems capable 
of sustaining a safe behavior despite the nefarious effects of their environment. 

Good developers know that testing do not capture the whole picture: never 
will it proves that no bug or flaw is present in the considered system. So for 
critical systems, it is useful to apply formal verification. That means using 
mathematical tools to prove that the system follows a given specification which 
models desired behaviors. While verification applies a posteriori, checking that 
the formal model of a system satisfies the needed specification, it is most of the 
time desirable to start from the specification and automatically build a system 
from it, in such a way that desired properties are proved to be maintained in 
the process. This a priori process is known as synthesis. 

The mathematical framework we use is game theory. It is a wide field with 
extensive formal bases and applications in numerous disciplines as diverse as 
economics, biology, operations research and, of course, computer science. Games 
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model interactions between cooperating and/or competiting players who play to 
the best of their abilities in order to satisfy individual or common objectives. 
While interesting works of Borel [4] and even Cournot [12] precede them, von 
Neumann and Morgenstern are generally considered as the "Founding Fathers of 
(Modern) Game Theory" through their 1944 book titled Theory of Games and 
Economic Behavior [20]. 

Roughly speaking, we consider a reactive system as a player (player 1), and 
his uncontrollable environment as its adversary (player 2). We model their in- 
teractions in a game on a graph, where vertices model states of the system and 
its environment, and edges model their possible actions. Constructing a correct 
system controller then means devising a strategy (i.e., a succession of choices 
of actions) for player 1 such that, whatever the strategy of player 2, the out- 
come of the play satisfies the specification. Such game-theoretic formulations 
have proved useful for synthesis [11,17,18], verification [1], refinement [15], and 
compatibility checking [13] of reactive systems, as well as in analysis of emptiness 
of automata [19]. 





requirements 



Fig. 1. Controller synthesis through game theory: process. 



In this paper, we do not address the full theoretical deepness of such an 
approach but rather try to motivate and illustrate its usefulness towards an 
audience who may not be familiar with it. To that end, we discuss a motivating 



toy example. First, we present the informal description of a reactive system 
and the behavior it should enforce. Second, we show how to use the game- 
theoretic framework to model its relationship with its environment and formalize 
the desired specification. Third, we use the sound theory of synthesis and exhibit 
a suitable controller that ensures satisfaction of the specification. Our discussion 
is mostly high level and intuitive. 

A wide variety of games (and thus system models) have been studied re- 
cently, with diverse enforceable behaviors [2,5,6,7,8,9,14,16]. In this work, we will 
focus on systems that must satisiy qualitative behaviors (e.g., always eventually 
granting requests, never reaching a deadlock) along with multiple quantitative 
requirements (e.g., maintaining a bound on the mean response time, never run- 
ning out of energy). In particular, we illustrate recent results of Chatterjee et al. 
[10] that are the first to provide a synthesis algorithm for such games, as well as 
a deep study of the complexity of the synthesized controllers. 

2 Problem 

Consider the following running example. Wo want to synthesize a controller for 
a robotized lawnmower. This lawnmower is automatically operated, without any 
human intervention. We present its informal specification, as well as the effects 
the environment can have on its operation. 

— In this partial, simplified specification, the gardener do not ask for the lawn- 
mower to satisfy any bound on the frequency of grass-cuttings. However, as 
he wants that the grass does not grow boundlessly, the lawnmower should 
cut the grass infinitely often in the future (as if it stops someday, the grass 
will not stop growing from then on). 

— The lawnmower has an electric battery that can be recharged under sunshine 
thanks to solar panels, and a fuel tank that can only be filled when the 
lawnmower is back on its base. Both are considered unbounded to keep 
things simple. 

— The weather can be cloudy or sunny. 

— The lawnmower can refuel (2 fuel units) at its base under both weather 
conditions, but can only recharge its battery (2 battery units) when it is 
sunny. Resting at the base takes 20 time units. 

— When cloudy, it can operate either under battery (1 battery unit) or using 
fuel (2 fuel units), both according to the same speed (5 time units). When 
sunny, the lawnmower may either cut the grass slowly, which always succeeds 
and consumes no energy (as the sun recharges the battery along the way), 
but takes 10 time units. Or it may cut the grass fast, which consumes both 
1 unit of fuel and 1 unit of battery, but only takes 2 time units. 

— When operating fast, the lawnmower makes considerably much noise, which 
may wake up the cat that resides in the garden and prompt it to attack the 
lawnmower. In that case, the grass-cutting is interrupted and the lawnmower 
goes back to its base, losing 40 time units as repair is needed. The cat does 
not go out if the weather is bad. 



— As the gardener cannot benefit from his garden while the lawnmower is 
operating, he wants that the mean time required by actions of the lawnmower 
is less than 10 time units. 

While simple, this toy example already involves qualitative requirements (i.e., 
the grass should be mown infinitely often), along with quantitative ones. There 
are indeed three quantities that have to be taken into account: battery and fuel 
arc energy quantities, which should never be exhausted, and time per action is 
a quantity which mean over an infinite operating of the lawnmower should be 
less than a given bound. 

Given this informal description of the capabilities of the system and its envi- 
ronment, as well as the specification the system should enforce, we need to build 
a system controller that guarantees satisfaction of the specification. 

3 Modeling as a game 

Game. We model the states and the interactions of the couple sys- 
tem/environment as a graph game where the system (here, the lawnmower) is 

player 1 and the environment is its adversary player 2. Formally, a game struc- 
ture is a tuple G = {Si, S2, Sinit,E, k, w,p) where (i) 5*1 and S2 resp. denote the 
finite sets of states belonging to player 1 and player 2, with fi ^2 = 0; (ii) 
Sinit G S = SiU S2 IS the initial state; (iii) E C S x S is the set of edges s.t. for 
all s £ S, there exists s' £ 5 s.t. (s, s') £ E; (iv) G N is the dimension of the 
weight vectors; (v) w : E ^ Z'' is the multi- weight labeling function; and (vi) 
p : S' — > N is the priority function. 

The game starts at an initial state, and if the current state is a player 1 
(resp. player 2) state, then player 1 (resp. player 2) chooses an outgoing edge. 
This choice is made according to a strategy of the player: given the sequence 
of visited states, a strategy chooses an outgoing edge. For this case study, we 
only consider strategies that operate this choice deterministically. This process 
of choosing edges is repeated forever, and gives rise to an outcome of the game, 
called a play, that consists of the infinite sequence of states that arc visited. 
Formally, a play in G is an infinite sequence of states tt — sosiS2 • . • s.t. so — Sinit 
and for all i > 0, we have (si, Si+i) £ E. The prefix up to the n-th state of play 
TT — sqsi . . . Sn ■ ■ ■ is thc finite sequence 7r(n) = sosi . . . s„. Such a prefix 7r(n) 
belongs to player i, i E {1:2}, if ,s„ £ Si. The set of plays of G is denoted by 
Plays(G'). The set of prefixes that belong to player i is denoted by PrefSi(G). 

Applying this formalism, we represent the lawnmower problem as the game 
depicted on Fig. 2. Edges correspond to choices of the system or its environment 
and taking an edge implies a change on the three considered quantities, as de- 
noted by the edge label. The grass-cutting state is special as the specification 
requires that it should be visited infinitely often by a suitable controller. 

Strategies. Formally, a strategy for Vi, i £ {1,2}, in G is a function Aj : 
Prefsj(G) S s.t. for all p = soSi...Sn G Prefsj(G), we have (s„,Aj(p)) G 
E. The history of a play (i.e., the previously visited states and their order of 



appearance) may thus in general be used by a strategy to prescribe its choice. 
A strategy Aj for Vi has finite memory if the history it needs to remember can 
be bounded. In that case, the strategy can be encoded by a deterministic Moore 
machine. As discussed earlier, a strategy of player 1 (the lawnmower) provides 
a complete description of a controller for the system, prescribing the actions to 
take in response to any situation. Therefore, our task is to build a strategy that 
satisfies the specification. 



cat 
(0,0,40) 



switch to fuel 
(0,0,0) 




(0, -2,5) 



Fig. 2. Lawnmower game. Edges are fitted with tuples denoting changes in battery, 
fuel and time respectively. 



Objectives. To devise such a strategy, it is needed to formalize the specification 
as objectives of the game. The conjunction of objectives yields a set of winning 
plays that endorse the specification. A strategy of player 1 is thus said to be 
winning if, against every possible strategy of the adversary, the play induced by 
following this strategy belongs to the winning set of plays. 

The informal specification developed in Section 2 is encoded as the following 
objectives. We ommit technical details for the sake of this case study. 

— Battery and fuel. Both constitute energy types which quantities are never 
allowed to drop below zero. A play is thus winning for the energy objective if 
the running sum of the weights encountered along it (i.e., changes induced by 
the taken edges) never drops below zero on any of the first two dimensions. 

— Mean action time. The specification asks that the lawnmower spends no 
more than 10 time units per action on average in the long run. That is, it is 
allowed to take more than 10 time units on some actions, but the long-run 



mean should be below this threshold. Therefore, the mean-payoff objective 
requires that the limit of the mean of the third-dimension weights over the 
prefix of a play is lower than 10. 
— Infinitely frequent grass-cutting. To satisfy this part of the specification, a 
strategy of player 1 must ensure that the grass-cutting state is visited in- 
finitely often along the induced play. This is encoded as a Biichi objective 
(or as a parity objective via the priority function in the most general case). 

4 Synthesis 

Process. Since our desire is to build practical real-world controllers, we are only 
interested in strategies that require finite memory. From a theoretical standpoint, 
there exist classes of games where infinite memory may help to achieve better 
results (see for example [8]), but infinite- memory strategies are of no practical 
use, as implementing a controller with infinite memory capabilities is obviously 
ruled out. 

The core of the synthesis process depicted on Fig. 1 is thus to construct, if 
possible, a finite-memory strategy that ensures satisfaction of the previously de- 
fined objectives, as well as a corresponding initial value of the energy parameters, 
commonly referred to as initial credit. That is because for the energy objectives, 
it is allowed to start the game with some finite quantity in stock, before taking 
any action. Think about starting a race with some fuel in your tank. 

While of importance for the analysis of systems with both qualitative and 
quantitative requirements, the synthesis problem for the class of games that 
is used to model the lawnmower problem, i.e., games with parity and multi 
energy or mean-payoff objectives, has only been considered recently [10] . In this 
paper, the complexity of synthesized controllers is studied and it is shown that 
for some systems, exponentially complex controllers are needed to enforce the 
specification. Moreover, exponential size controllers are always suflacient, i.e., if 
no exponential controller is able to enforce the specification, then implementing 
more complex controllers is no help. 

Result 1 (Induced by [10, Theorem 1]). Enforcing a specification combining 
both qualitative and quantitative aspects may require exponential size controllers 

in terms of memory requirements in the worst case. 

Interestingly, answering the question "does there exist a finite-memory con- 
troller that satisfies a given specification ?" was shown to be coNP-complete in 
[8]. However, no deterministic algorithm was known to synthesize such a con- 
troller. Only quite recently, a practically implementable algorithm of optimal 
complexity for the synthesis of specification-wise suitable controllers was pre- 
sented in [10]. This algorithm is both symbolic and incremental, and uses com- 
pact representations of data sets, thus being an ideal choice for implementation 
into synthesis tools. 

Result 2 (Induced by [10, Theorem 2]). The synthesis of controllers for 
systems with qualitative and quantitative requirements, such as the lawnmower, 
is in EXPTIME. 



This algorithm automatically builds suitable controllers with regard to the 
desired specification, if one is constructible. Therefore, it is the key tool in the 
synthesis process depicted on Fig. 1, and gives rise to an innovative and sound 
approach to the conception of provably safe reactive systems. 

Lawnmower controller. To conclude our case study, we exhibit a synthesized 
controller that enforces the desired specification. Notice that there may exist 
other acceptable controllers. The one wc present here is quite simple but already 
asks for some memory (in the form of bookkeeping of battery and fuel levels). 
The controller implements the following strategy: 

— Start the game with empty battery and fuel levels. 

— If the weather is sunny, mow slowly. 

— If the weather is cloudy, 

• if there is at least one unit of battery, mow on battery, 

• otherwise, if there is at least two units of fuel, mow on fuel, 

• otherwise, rest at the base. 

Notice that this strategy guarantees never running out of energy (which sat- 
isfies the energy objectivcis). induces infinitely frequent grass-cuttings (which 
satisfies the Biichi objective) , and produces a play on which the mean time per 
action is less than 10 against any strategy of the adversary (which satisfies the 
mean-payoff objective). In this sample controller, the lawnmower never uses the 
"fast mow" action as the adversary could very well play "cat" and prevent visit 
of the grass-cutting state. 

5 Conclusion 

Through this case study, we have discussed how the game-theoretic framework 
can help in the synthesis of controllers. We have intuitively introduced some of 
the key underlying concepts such as games, strategies, qualitative and quantita- 
tive objectives. We have also discussed the recent development of a practically 
useable algorithm for the automated synthesis of valid controllers [10]. 

It is worthwhile noticing that automated synthesis suites for fragments of the 
presented formalism or similar logics are already in practical use, such as the 
LTL synthesis tool Acacia+ for example [3] (which only applies to qualitative 
requirements). Thanks to the recent developments on the conjunction of quali- 
tative and quantitative objectives [10], such tools could very well be extended to 
encompass all the needed complexity for the specification of real- world systems. 
Such an approach should be a leading trend for the analysis and synthesis of 
provably safe controllers for reactive systems in the near future. This discussion 
illustrates its interest, while abstracting the sound theory underneath. 
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